{"id":"ASB-A-364027038", "published":"2025-01-01T00:00:00Z", "modified":"2026-04-29T15:10:00.007170452Z", "aliases":["CVE-2024-49747", "A-364027038"], "details":"In gatts_process_read_by_type_req of gatt_sr.cc, there is a possible out of bounds write due to a logic error in the code. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15-next:0"}, {"fixed":"15-next:2025-01-01"}]}], "versions":["15-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a"], "severity":"Critical", "spl":"2025-01-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["73195809151671638912021880081212524930", "166502590214268424367121578547746522305", "247706984838498109398675757824649790753", "315019094983899779418568733552817699748", "83762924092308347658617299944389919479", "254902864810161459416971793163088546379", "196178134462344522814176753984460788197", "279622060697144804304625180375643630946", "223477382937635419669272203771965103767", "1960198259503915119967230187628605704", "66254350827859887876499744116862209316", "262806853860335332372772791548586258965", "150611675201788300272142464243413304173"], "threshold":0.9}, "id":"ASB-A-364027038-17a826f7", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a", "target":{"file":"system/stack/gatt/gatt_sr.cc"}}, {"deprecated":false, "digest":{"function_hash":"140878766634733266954635798763519620581", "length":1324}, "id":"ASB-A-364027038-3827c5ea", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_primary_service_req"}}, {"deprecated":false, "digest":{"function_hash":"248491112306616213556074563010930516473", "length":1717}, "id":"ASB-A-364027038-3ff0fad8", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_read_by_type_req"}}, {"deprecated":false, "digest":{"function_hash":"69665958368321808384825513943432689445", "length":1157}, "id":"ASB-A-364027038-b43efdf5", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_read_req"}}, {"deprecated":false, "digest":{"function_hash":"324626715642112619947952676342156858113", "length":1017}, "id":"ASB-A-364027038-ba6220ee", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/7de5617f7d5266fe57c990c428621b5d4e92728a", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_find_info"}}]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2025-01-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/7e5f45df8880293e1ab40367670d1a8959a542f9"], "severity":"Critical", "spl":"2025-01-01", "types":["RCE"]}}, {"package":{"name":"platform/system/bt", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2025-01-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/system/bt/+/7e5f45df8880293e1ab40367670d1a8959a542f9"], "severity":"Critical", "spl":"2025-01-01", "types":["RCE"]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2025-01-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/84ea459acaf3c6e7215e044e59dc3e9187f1f7b8"], "severity":"Critical", "spl":"2025-01-01", "types":["RCE"]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2025-01-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907"], "severity":"Critical", "spl":"2025-01-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"59907721387275796891791880982636164831", "length":1709}, "id":"ASB-A-364027038-80714ab1", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_read_by_type_req"}}, {"deprecated":false, "digest":{"function_hash":"268512766584913294539741796509741126456", "length":1013}, "id":"ASB-A-364027038-83af7302", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_find_info"}}, {"deprecated":false, "digest":{"function_hash":"10210466590019957247735252267736265287", "length":1228}, "id":"ASB-A-364027038-a0478448", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_read_req"}}, {"deprecated":false, "digest":{"line_hashes":["196188171440176825939806200179255172593", "1343846276710123130481317655775445976", "162707953477914375301304852354564105157", "237632184094319759594373126038928156", "73412303094902604806141279010004724322", "213793042301422949472188878356196466428", "274459867152185406121724678773523115431", "192696816679659929020304638215736036804", "133504366274441222416588714725015718987", "21203466509074868465527884809617529072", "194708559555065354067195318099669152827", "318666791156319226780322955888919039055", "244954544663744206864763512961316080849"], "threshold":0.9}, "id":"ASB-A-364027038-ab8983b1", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc"}}, {"deprecated":false, "digest":{"function_hash":"295457614205376007172365195382679517796", "length":1372}, "id":"ASB-A-364027038-b03cbff8", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_primary_service_req"}}]}}, {"package":{"name":"platform/packages/modules/Bluetooth", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2025-01-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907"], "severity":"Critical", "spl":"2025-01-01", "types":["RCE"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["196188171440176825939806200179255172593", "1343846276710123130481317655775445976", "162707953477914375301304852354564105157", "237632184094319759594373126038928156", "73412303094902604806141279010004724322", "213793042301422949472188878356196466428", "274459867152185406121724678773523115431", "192696816679659929020304638215736036804", "133504366274441222416588714725015718987", "21203466509074868465527884809617529072", "194708559555065354067195318099669152827", "318666791156319226780322955888919039055", "244954544663744206864763512961316080849"], "threshold":0.9}, "id":"ASB-A-364027038-191eca3b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc"}}, {"deprecated":false, "digest":{"function_hash":"10210466590019957247735252267736265287", "length":1228}, "id":"ASB-A-364027038-44e14824", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_read_req"}}, {"deprecated":false, "digest":{"function_hash":"268512766584913294539741796509741126456", "length":1013}, "id":"ASB-A-364027038-4638b31c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_find_info"}}, {"deprecated":false, "digest":{"function_hash":"59907721387275796891791880982636164831", "length":1709}, "id":"ASB-A-364027038-ace40604", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_read_by_type_req"}}, {"deprecated":false, "digest":{"function_hash":"295457614205376007172365195382679517796", "length":1372}, "id":"ASB-A-364027038-c96609ee", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/2fc3087b9ac3019518c6ceb8a64d181d6bb04907", "target":{"file":"system/stack/gatt/gatt_sr.cc", "function":"gatts_process_primary_service_req"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2025-01-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c7468e64bb5e821563a910ccd8e5693c179c9da4"}]}